Kategorija: Validacija i povjerenje
Složenost: ⭐⭐⭐⭐ (Visoka)
Preduvjeti: Izgrađen lanac certifikata
Procijenjeno vrijeme: 15-20 minuta
Ovaj scenarij opisuje potpunu validaciju lanca certifikata prema RFC 5280. Validacija provjerava:
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ; using System.Security.Cryptography.X509Certificates; using var ctx = PqCryptoContext.Initialize(); // Učitavanje certifikata var serverCert = ctx.LoadCertificate("server.crt.pem"); // Potpuna validacija lanca var chain = new X509Chain(); chain.ChainPolicy.RevocationMode = X509RevocationMode.Online; chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain; chain.ChainPolicy.UrlRetrievalTimeout = TimeSpan.FromSeconds(30); chain.ChainPolicy.VerificationTime = DateTime.UtcNow; // Dodatni Intermediate certifikati chain.ChainPolicy.ExtraStore.Add(ctx.LoadCertificate("intermediate-ca.crt.pem")); // Izgradnja i validacija lanca bool isValid = chain.Build(serverCert); // Procjena rezultata Console.WriteLine($"Validacija lanca: {(isValid ? "VALJAN" : "NEVALJAN")}"); if (!isValid) { foreach (var element in chain.ChainElements) { foreach (var status in element.ChainElementStatus) { Console.WriteLine($" {element.Certificate.Subject}"); Console.WriteLine($" Greška: {status.Status}"); Console.WriteLine($" Detalji: {status.StatusInformation}"); } } }
public class ChainValidator { public ValidationResult ValidateChain(X509Certificate2 certificate, ValidationOptions options) { var result = new ValidationResult { IsValid = true }; using var chain = new X509Chain(); ConfigureChainPolicy(chain.ChainPolicy, options); if (!chain.Build(certificate)) { result.IsValid = false; result.Errors = ExtractErrors(chain); } // Dodatne PQ provjere if (options.RequirePostQuantum) { ValidatePqRequirements(chain, result); } return result; } private void ConfigureChainPolicy(X509ChainPolicy policy, ValidationOptions options) { policy.RevocationMode = options.CheckRevocation ? X509RevocationMode.Online : X509RevocationMode.NoCheck; policy.RevocationFlag = X509RevocationFlag.EntireChain; policy.VerificationTime = options.ValidationTime ?? DateTime.UtcNow; // Application Policies (Extended Key Usage) if (options.RequiredEku != null) { policy.ApplicationPolicy.Add(options.RequiredEku); } // Certificate Policies if (options.RequiredPolicies != null) { foreach (var policyOid in options.RequiredPolicies) { policy.CertificatePolicy.Add(policyOid); } } // Prilagođeni Trust Store if (options.CustomTrustStore != null) { policy.CustomTrustStore.AddRange(options.CustomTrustStore); policy.TrustMode = X509ChainTrustMode.CustomRootTrust; } } private void ValidatePqRequirements(X509Chain chain, ValidationResult result) { foreach (var element in chain.ChainElements) { var cert = element.Certificate; var algorithm = cert.PublicKey.Oid.Value; // Provjera koristi li se PQ algoritam if (!IsPqAlgorithm(algorithm)) { result.Warnings.Add($"{cert.Subject}: Nije PQ algoritam ({algorithm})"); } } } private bool IsPqAlgorithm(string oid) { return oid switch { "2.16.840.1.101.3.4.3.17" => true, // ML-DSA-44 "2.16.840.1.101.3.4.3.18" => true, // ML-DSA-65 "2.16.840.1.101.3.4.3.19" => true, // ML-DSA-87 _ => false }; } }
public class ValidationOptions { // Vrijeme validacije public DateTime? ValidationTime { get; set; } // Provjera opoziva public bool CheckRevocation { get; set; } = true; // Extended Key Usage public Oid? RequiredEku { get; set; } // Certificate Policies public List<Oid>? RequiredPolicies { get; set; } // Prilagođeni Trust Store public X509Certificate2Collection? CustomTrustStore { get; set; } // PQ zahtjevi public bool RequirePostQuantum { get; set; } // Timeout za online provjere public TimeSpan UrlTimeout { get; set; } = TimeSpan.FromSeconds(30); } // Primjer: TLS poslužitelj validacija var tlsOptions = new ValidationOptions { RequiredEku = new Oid("1.3.6.1.5.5.7.3.1"), // serverAuth CheckRevocation = true, RequirePostQuantum = true }; // Primjer: Code-Signing validacija var codeSigningOptions = new ValidationOptions { RequiredEku = new Oid("1.3.6.1.5.5.7.3.3"), // codeSigning CheckRevocation = true, ValidationTime = signatureTimestamp // Vrijeme potpisa };
| Status | Značenje | Kritično? | Rješenje |
|---|---|---|---|
| NoError | Nema grešaka | Ne | - |
| NotTimeValid | Istekao/još nije valjan | Da | Obnova |
| NotTimeNested | Vremenska razdoblja se ne preklapaju | Da | Ispraviti lanac |
| Revoked | Opozvan | Da | Novi certifikat |
| NotSignatureValid | Nevaljani potpis | Da | Provjeriti lanac |
| NotValidForUsage | Pogrešna namjena | Da | Ispravan certifikat |
| UntrustedRoot | Root nije pouzdan | Da | Trust Store |
| RevocationStatusUnknown | CRL/OCSP nedostupan | Upozorenje | Offline provjera |
| PartialChain | Lanac nepotpun | Da | Dodati Intermediate |
| Industrija | Dodatne provjere | Policy OID-ovi |
|---|---|---|
| WebPKI | CT-logovi, EV politike | CA/B Forum |
| eIDAS | QC-izjave, TSL provjera | 0.4.0.194121.1.* |
| Zdravstvo | Atributi zvanja | gematik OID-ovi |
| Automobilska | ECU politike | V2X specifično |
| Odnos | Scenarij | Opis |
|---|---|---|
| Preduvjet | 5.1 Izgradnja lanca | Izgraditi lanac |
| Sljedeći korak | 5.3 Provjera opoziva | Provjera opoziva |
| Povezano | 5.4 Validacija politika | Provjera politika |
« ← 5.1 Izgradnja lanca | ↑ Pregled validacije | 5.3 Provjera opoziva → »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional